Blitz Guard vs CASL

[lksnmnn]

Hey there,

I am just getting started with Blitz.js and spend the last hours attempting to bake in ABAC using CASL (https://github.com/stalniy/casl). My last problem to solve was to replace the simpleRolesIsAuthorized session middleware with an ability check from CASL. The Blitz.js docs are thin on details in regards to a custom middleware.

Now I found blitz-guard which basically achieves the same and is quite similar syntax wise (cancan). I've read through the docs and it seems very straight forward to use. Thank you and great job 👏 .

My only critique so far is the best practise section, where you state:

Remove all permissions, give them one by one.

If this is best practise (I think it should be!), wouldn't it be easier to automatically disallow everything in the library and force the user to give permissions one by one? This would be in the spirit of Falling Into The Pit of Success, as it prevents users from shooting themselves in the knee too easily.

In any case, I am going to test blitz-guard now :) 👍

Cheers,
Lukas

[ntgussoni]

Hi Lucas, thank you for your time and words!

You might actually have a point there. My line of thought was that I didn't want to force the dev to protect everything in one go or else they wouldn't be able to use their software.

For a starting project "forcing" the dev to allow certain parts and having everything protected as default could be an easy job, but for bigger projects where it takes time I don't really know if this is the best approach.

You def. have a point in saying that if it's a best practise it should be enforced to prevent people from shooting themselves in the knee.

Could this perhaps be optional on the Reicipe level? Asking the user if they want to basically add a cannot('manage', 'all') at the begining of their ability file by default.

[lksnmnn]

I like the idea of asking the user during the recipe installation. I just ran through it myself and think this would be a good place to do this. Right now the comment in the GuardBuilder already statesyou can start by removing access to everything and gradually adding the necessary permissions but does not have cannot('manage', 'all') as the first example.

Additionally, could the user decide at that point, to enable the developer middleware to be warned about unprotected routes?

[ntgussoni]

Indeed! I didn't have the time to mess with jscodeshift to update the blitz.config file but I will.
I created these, for next version unless there's someone who wants to make a PR before that :)

#22
#23